You should not do that since there is no reason to disallow the user from doing what they want.
But if you really want it, writing a custom boot ROM and OS is probably the only way you can have an actually secure system (you might need a custom CPU as well).
Given the lack of skill and discipline of most programmers the whole TPM/secure-boot/UEFI/grub/Linux/dm-verity stack is likely full of holes, so just the assuming that it works as you'd expect will probably be disappointing.
> You should not do that since there is no reason to disallow the user from doing what they want.
For desktop computing ("personal computing", if you like), anyone here will agree.
But the article is specifically talking about securing appliances, and generally when talking about appliances, you're talking about rackable machines sold to the enterprise. There, they don't care a jot about being able to muck around with the machine - the whole point of an appliance is that you plug it in and go; that is more or less manages itself.
And for many of these customers, and of course any operating in a high-security environment (e.g. defence), this level of security is a feature, not a hindrance.
But if you really want it, writing a custom boot ROM and OS is probably the only way you can have an actually secure system (you might need a custom CPU as well).
Given the lack of skill and discipline of most programmers the whole TPM/secure-boot/UEFI/grub/Linux/dm-verity stack is likely full of holes, so just the assuming that it works as you'd expect will probably be disappointing.